Terminating VPN into MPLS

tahscolony · ‎02-15-2017

I am trying to design a way to use one router to terminate VPN connections, and for security reasons, keep traffic separate. So one internal interface is in vrf trusted, where I want to terminate a host of VPNs, and the other interface is in vrf untrusted, where I want to terminate other VPN's. The Public side would not be in a vrf.

Is this possible, and is there an example of what the VPN configuration would look like? It would be standard L2L IPSec VPN. I already have the vrf configured with separate routing tables BGP and OSPF.

Philip D'Ath · ‎02-15-2017

I like to use ISAKMP profiles for this.

crypto keyring kr-dsto 
  pre-shared-key address ...

crypto isakmp profile isakmp-client1
  vrf client1
  keyring kr-client1
  match identify address ...
  local-address ...

crypto map-cryptomap 113 ipsec-isakmp 
  set isakmp-profile isakmp-client1
...

tahscolony · ‎02-16-2017

Actually its IPSec encrypted GRE tunnels. So if I create a tunnel interface in a vrf, and source the external non-vrf interface IP, will it work?

Philip D'Ath · ‎02-16-2017

Are we talking about modern VTI tunnels, that use the "tunnel protection" command?

tahscolony · ‎02-16-2017

Just normal GRE over IPSec.

interface Tunnel64
ip vrf forwarding Inside
ip address 169.254.169.254 255.255.255.254
tunnel source 1.2.3.4

tunnel destination 4.3.2.1

Tunnel source is the outside interface of the router which is not associated with any vrf.

Philip D'Ath · ‎02-16-2017

Yes, I believe that would work.